I've got some MBean operations that I need to secure. I would like the users to be required to log in as the server admin and I would like this to be setup programmaticly or, preferably by a config file in the WAR, when the app is deployed. I want to avoid requiring the admin to set this up as a deployment step.
We're running glassfish, but platform neutral is preferred. However, glassfish specific config files would be fine.
By default, the Sun JDK allows you to perform access control by putting credentials in the filesystem, which would live outside your jar. See the management guide for details.
However, since you want to control things from within your app, you can use JAAS to replace the file-based configuration with your own. See the java docs on com.sun.jmx.remote.security.JMXPluggableAuthenticator for details.
You could programmatically inject your own JAAS provider, and then manage the authentication details however you like.
Related
Is there any ability to list/manage WAS Liberty queues besides server xml config? Liberty version does not support WAS admin console with it's MQ managing functionality
WebSphere Liberty was designed to have simple configuration, that can be part of your source artifacts and deployed easily via CI/CD tools. So in general it is rather not recommended to modify running server configuration, rather prepare and deliver new server via your pipeline.
Having said that, you can modify server.xml file, and most of the modification will be integrated into running server without the restart.
You also have adminCenter feature, which will give you simplified web console. That console will allow you to modify server.xml via browser, with editor that knows the correct syntax so you dont have to remember all the tag names. However you will not get 'wizard' like console, that you currently have in traditional WAS server.
Jolokia is uncharted territory for me, and after having read the documentation, I'm still not sure if it'll work with the scenario I have in mind.
Setup:
Tomcat application server (version ranges from 6.x to 7.x), usually on a Windows platform, occasionally a flavour of Linux.
Deployed third-party Java web application (SAP BusinessObjects) with JMX monitoring enabled (accessible through RMI).
Possible gotcha's:
The Java web application to be monitored is commercial and closed source, so modifications are not possible. The only thing that can be changed is the JMX port number
The JMX endpoint is a custom one, thus not the default jmxrmi endpoint.
The JMX connection requires authentication.
Goal:
What I'd like to do is to deploy the Jolokia WAR file onto the Tomcat server and then configure it so that I can read the MBean attributes from the other web application.
I would code the client myself using Python (version 3) and the Requests HTTP library.
I've been reading through the Jolokia documentation (again, I'm a complete newbie at this point), but can't figure out if this would be possible or not (as I can't seem to find where to enter the JMX/RMI url or the authentication information).
Questions:
Can I use the WAR agent for this setup?
If not, can you please explain why (so I can understand, not because I don't believe you). Also, is there another agent that's more suited for this scenario?
If yes, can you point me in the right direction how to configure the Jolokia to the web application to connect to?
First of all, Jolokia by passes the JSR-160 connector stuff completely, so there is no need for any JMX/RMI authentication. The whole purpose of Jolokia is to provide a bridge over HTTP/JSON to the internal JMX subsystem. Depending on the agent, you can secure Jolokia quite easily. For the WAR agent, securing is the same as for any Java EE web app: Setup some roles and users for tomcat (e.g. in tomcat-users.xml) and reference the role in the security contstraints within the jolokia.war's /WEB-INF/web.xml.
To your questions:
Yes, you can. If you don't have any specific authentication needs, simply drop the jolokia.war into tomcat's /webapps directory. I suggest to try this first before adding security. For deinstalling the agent, simply remove the war.
As an alternative, you could also use the JVM agent, which opens an own HTTP server on an extra port (default: 8778). More on this in the reference manual
There is no need for a dedicated connection to the web app since MBeans are registered globally and are accesible from anywhere in the JVM. A webapp should of course select carefully the management information it exposes. So, there is no extra step needed and you can access the MBeans for the WEB app directly (except when it does something unusual with Java security, but I don't think so).
To test the installation, simply connect to the Tomcat with your browser and the context /jolokia (e.g. "http://localhost:8080/jolokia"). You should see the version information about the agent itself.
The next step would be to explore the JMX namespace, either with the browser (and operation "list" like in http://localhost:8080/jolokia/list , but that's tedious) or with a client like j4psh or hawt.io. Hopefully you will find the MBeans of your webapp you are looking for.
I am developing an web app using java/j2ee as middle ware and Mysql 5.1 as database. I have to deploy it on AWS-EC2 server.
My questions are:
How do I create the build
How do I deploy on ec2 server?
I am using Apache Tomcat-6. Should I use any other server like Apache2 as web-server?
Use WTP to create a Dynamic Web Module project.
Use AWS Toolkit for Eclipse
That's pretty terse, but you'll need so many more details that it's pointless to list them here. Read the docs, then come back with specific questions :)
Whether you need Apache2 in front of Tomcat depends on your requirements. If you need it you'll know it :) Things that you might want to punt off on Apache2:
SSL
Static content
URL rewriting
If you are just planning to do every thing manually. You should read this manual http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/
Basically,
You need to create an AMI instance of platform of your choice. (Win/Unix-based).
Configure it with the software that you need. In your case, Tomcat-6 and MySQL-5.1. Configure them. Set Schema etc.
Upload your WAR file to the instance and deploy to Tomcat-6.
Make sure Tomcat port (8080 or whatever you've configured) is open. You can configure this from AWS console's Security Group setting.
Use the instance's Public DNS to access your app. Public DNS can be found from AWS console.
There are many freely available, pre-configured AMI available. Since your setting is one of the most common one. I am sure you will get one and skip Step#2.
As part of all the development of some use cases, I've used a properties file approach to handle almost all the configuration parameters in the project.
Even when this approach is a security safe approach, I need to be able to change this parameters on the application, so I need an admin web module to be able to change at runtime all the configuration on the properties file.
I would like to know if there's any WAR that I can put on my website to enable dynamic web application modification.
I found that the Apache Commons Configuration enables me to do runtime modifications, but I haven't found a CRUD application for properties files.
Does anyone know one?
Agreed with Isaac's and ruffp's comments. Even if you did manage a way to update the contents of the property files at runtime, this wouldn't solve the issue that most of the properties are likely loaded once and not read again until the application is restarted. You're best off using Java EE environment entries, or a backing database.
Another option is to use JMX management beans. These beans could then be accessed through any JMX management tool, including jconsole - or your could use any available web front-end to access them as well, including any provided by an application server.
For a typical J2EE web application, the datasource connection settings are stored as part of the application server configuration.
Is there a way to version control these configuration details? I want more control on the datasource and other application server config changes.
What is the standard practice for doing this?
Tracking configuration changes to your application server through version control is a good thing to ask for. However, It does imply that all changes are done via scripting, instead of the administrative web interface. I recommend
http://www.ibm.com/developerworks/java/library/j-ap01139/index.html?ca=drs-
as a good background information article on this topic.
Update: Just recently, part 2 has been published here: http://www.ibm.com/developerworks/java/library/j-ap02109/index.html?ca=drs-
When working with WebSphere we found the best approach was to script the deployment and place the script under version control plus the response files for each of the target environments.
Websphere canbe tricky as the directory structure is a mess of files - often there appears to be duplicates and it's hard to figure which is the magic file you need to backup / restore . The question of how to go about this should not detract from the need to do it. - which is a definite yes.
Our (Spring) apps have a hardcoded jndi name in the spring config file. That way, the same ear can be deployed to dev, qa and prod environments, and you don't have to worry about database connection details.
The app server admins ensure that a datasource is registered against that jndi name, with the connection details as appropriate on each environment.
But how does this let me manage changes to datasource configurations in the application servers. Here's a scenario:
DBAs change the connection password of the database server.
Webspehere/Weblogic administrator makes corresponding changes to server configuration through administrator console.
The above change is not version controlled so there is no clean way of knowing the history of such changes.
The problem is not about how the application should be configured but about how the configuration changes should be version controlled. Perhaps it sounds like an overkill for simple projects but for some projects, controlling changes like these really becomes a problem.
Any time you ask yourself "should X be in version control" the default answer is "yes".
For a more refined answer, ask yourself this: is the file created by a person (like a source file or a document) or is it generated by another program (like an object file or a distribution PDF)?
File that are created, and/or maintained, by a human should be under configuration control.
We are always using version control for our app server settings. It's a tool called WLST (weblogic scripting tool) which is part of the weblogic server distribution. The domain configuration is stored within a Jython script, which can easily be executed via command line and therefore integrates superb with our build tool maven.
Creating a preconfigured running weblogic domain only needs to execute a maven goal. All those annoying problems of misconfigured jdbc connections or wrong jms destination parameters are gone. You will always have a appserver configuration which matches the source code at a given time. You will never need to remember which app server setting must be applied for this specific version of the project you are working on.
I really recommend this.
I also would like to know, if there are similar solutions for other application server available. As far as i know there is a way for glassfish via ant. How this can be achieved for JBoss?